CVE-2021-47959 Overview
CVE-2021-47959 is a denial of service vulnerability in the WordPress WPGraphQL plugin version 1.3.5. The flaw allows unauthenticated remote attackers to exhaust server resources through batched GraphQL queries containing duplicated fields. By submitting POST requests to the GraphQL endpoint with amplified field duplication payloads, attackers can trigger out-of-memory conditions on the host and exhaust MySQL connections. The vulnerability is classified under [CWE-770] Allocation of Resources Without Limits or Throttling. No authentication, user interaction, or special access is required for exploitation.
Critical Impact
Unauthenticated attackers can trigger server-wide denial of service by sending a single batched GraphQL request containing duplicated fields, exhausting memory and MySQL connections.
Affected Products
- WordPress Plugin WPGraphQL version 1.3.5
- WordPress instances exposing the /graphql endpoint via WPGraphQL
- Backend MySQL databases serving WPGraphQL-enabled WordPress installations
Discovery Timeline
- 2026-05-15 - CVE-2021-47959 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2021-47959
Vulnerability Analysis
The vulnerability resides in how WPGraphQL 1.3.5 parses and executes GraphQL queries received at the /graphql endpoint. GraphQL allows clients to specify multiple fields and batch multiple operations in a single request. WPGraphQL does not enforce limits on query complexity, query depth, or duplicated field selections. An attacker can craft a single POST request containing thousands of duplicated field selections within a batched query.
When the plugin processes such a request, each duplicated field triggers separate resolver execution and database lookups. This causes the PHP worker to allocate large amounts of memory and open a high number of MySQL connections. The result is PHP out-of-memory termination and MySQL Too many connections errors that affect the entire WordPress site, not just the GraphQL endpoint.
Root Cause
The root cause is missing input validation on query structure. WPGraphQL does not cap the number of fields, the depth of nested selections, or the size of batched operations. No rate limiting or cost analysis is applied before resolver execution begins. This matches the [CWE-770] pattern of allocating resources without throttling.
Attack Vector
The attack is delivered over the network with no privileges or user interaction. An attacker sends an HTTP POST request to /graphql containing a JSON body with a query that duplicates the same field selection thousands of times, optionally wrapped in a batched array of operations. The server begins resolving each field, opens database handles, and runs out of memory or connection slots before the request completes. Repeated requests keep the site unavailable. Public proof-of-concept code is documented in Exploit-DB #49807 and the VulnCheck Advisory.
No verified exploit code is included here. Refer to the linked advisories for technical proof-of-concept details.
Detection Methods for CVE-2021-47959
Indicators of Compromise
- HTTP POST requests to /graphql with unusually large request bodies, often exceeding several hundred kilobytes.
- PHP error logs showing Allowed memory size exhausted entries tied to WPGraphQL resolver call stacks.
- MySQL error logs reporting Too many connections or connection refusals during GraphQL traffic spikes.
- Sudden web server 5xx responses correlated with traffic to the /graphql endpoint.
Detection Strategies
- Inspect access logs for repeated POST requests to /graphql from the same source IP within short time windows.
- Parse incoming GraphQL request bodies and flag payloads containing more than a configurable threshold of duplicated field names.
- Correlate PHP-FPM worker terminations with concurrent GraphQL traffic to identify resource exhaustion attempts.
- Monitor MySQL max_connections saturation events and trace originating queries back to WPGraphQL resolvers.
Monitoring Recommendations
- Enable verbose access logging on the WordPress front end with request body size capture for the /graphql route.
- Alert on PHP memory exhaustion errors and MySQL connection saturation in real time through centralized log aggregation.
- Track baseline GraphQL request rates and trigger anomaly alerts when request volume or payload size exceeds normal patterns.
How to Mitigate CVE-2021-47959
Immediate Actions Required
- Upgrade the WPGraphQL plugin to a version later than 1.3.5 that enforces query complexity and depth limits.
- Restrict access to the /graphql endpoint at the web server or WAF layer if the GraphQL API is not required for public use.
- Apply rate limiting on the /graphql route to cap requests per source IP per minute.
- Increase MySQL max_connections and PHP memory_limit only as a short-term cushion, not as a fix.
Patch Information
Update WPGraphQL to the latest available release from the WPGraphQL Official Site or through the WordPress plugin manager. Refer to the VulnCheck Advisory for vendor remediation guidance and the fixed version range.
Workarounds
- Place the GraphQL endpoint behind authentication using a reverse proxy or WordPress access control plugin.
- Deploy a WAF rule that rejects POST requests to /graphql whose body exceeds a defined size threshold or contains excessive field repetition.
- Disable WPGraphQL entirely on sites that do not require GraphQL functionality.
# Example nginx rule to limit /graphql request size and rate
location /graphql {
client_max_body_size 64k;
limit_req zone=graphql_zone burst=5 nodelay;
proxy_pass http://wordpress_backend;
}
# Define the rate limit zone in the http block:
# limit_req_zone $binary_remote_addr zone=graphql_zone:10m rate=10r/m;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
